lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 11 Feb 2022 11:58:14 -0800
From:   Kees Cook <>
To:     Robert Święcki <>
Cc:     "Eric W. Biederman" <>,
        Andy Lutomirski <>,
        Will Drewry <>,,
Subject: Re: [PATCH 0/3] signal: HANDLER_EXIT should clear SIGNAL_UNKILLABLE

On February 11, 2022 4:54:26 AM PST, "Robert Święcki" <> wrote:
>> It's mainly about the exit stuff having never been run before on these
>> kinds of process states, so things don't make sense. For example, on the
>> SIGSYS death, the registers have been rewound for the coredump, so when
>> the exit trace runs on x86 it sees the syscall return value as equal to
>> the syscall number (since %rax is used for the syscall number on entry
>> and for the syscall result on exit). So when a tracer watches a seccomp
>> fatal SIGSYS, it sees the syscall exit before it sees the child exit
>> (and therefore the signal). For example, x86_64 write (syscall number
>> 1), will return as if it had written 1 byte. :P
>> So, it's not harmful, but it's confusing and weird. :)
>> > I am trying to figure out if there is a case to be made that it was a
>> > bug that these events were missing.
>> I don't think so -- the syscall did not finish, so there isn't a valid
>> return code. The process exited before it completed.
>A tangential point: please ignore for the purpose of fixing the
>problem at hand. I'm mostly making it, in case it can be taken into
>account in case some bigger changes to this code path are to be made -
>given that it touches the problem of signal delivery.
>When I noticed this problem, I was looking for a way to figure out
>what syscall caused SIGSYS (via SECCOMP_RET_KILL_*), and there's no
>easy way to do that programmatically from the perspective of a parent
>process. There are three ways of doing this that come to mind.

I had hoped that the parent could read the SIGSYS siginfo_t from the
child, but I haven't found any way to do this. :( :(

I don't seem to be able to use:

- PTRACE_ATTACH to use PTRACE_PEEKSIGINFO on a dead process.
- signalfd (nothing is in the fd after the exit).


Kees Cook

Powered by blists - more mailing lists